Yesterday’s LabMD decision was stunning; here’s why:  Unlike the ONLY other Federal Trade Commission target who has ever dared  to challenge ANY of the “hundreds of privacy and data security cases” the FTC has brought, WyndhamLabMD was not allowed to avail itself immediately of Article III courts, but was instead forced first through a very arduous multi-year administrative process.  Given the long tenures of most FTC commissioners, this process involved a Complaint issued by many of the same FTC Commissioners to whom the Initial Decision has now been issued.   Thus the FTC ALJ’s ruling to the FTC against the FTC on the basis that the FTC’s Complaint Counsel failed to prove its case on the merits — without even reaching LabMD’s affirmative defenses — has to be celebrated as an act of judicial independence in our still-wonderful rule of law, even though or perhaps because it came on the same day as the news from Paris made us wonder about what Life has in store.

Yesterday’s decision is also important to future FTC actions and to data breach litigation more generally in its examination in detail of the remarkably weak evidence of harm put forth by the government and all of its experts.   Of course, the government’s case was made uniquely vulnerable by its partial reliance on the fruit of the uniquely poisoned tree of which all of you following the case should be well aware, and about which those of you who have not might want to read.   The FTC’s Chief Administrative Law Judge D. Michael Chappell goes much further than that poisoned tree in his Initial Decision, however, requiring a different factual floor for an unfairness claim under Section 5 of the FTC Act than the floor which his agency has urged on him and us.

The basis of the decision is that the FTC failed to satisfy even the first prong of the three-part test imposed by Congress in 1994 as Section 5(n) of the FTC Act in order to limit the FTC’s power, which states that:

[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair unless [1] the act or practice causes or is likely to cause substantial injury to consumers [2] which is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.

The ALJ found failures to prove identity theft-related harms, and failure to prove subjective or emotional harm, finding also that the latter, even if proven, would not constitute “substantial injury.”   He also found failure to show substantial injury in the theory that an insecure network is at risk of a data breach, because:

 the evidence fails to assess the degree of the alleged risk, or otherwise demonstrate the probability that a data breach will occur. To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical “risk” of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of “likely” substantial consumer injury.

The words “speculation” and “speculative” appear seventeen times in the decision, usually in judgments about the quality of the FTC’s case and of the testimony of its experts, and we might expect it to echo through many responses to FTC accusations and data breach disputes in the coming years.   Those of you more interested in civil data breach litigation than in becoming only the THIRD entity to EVER challenge the FTC on privacy/security will be particularly interested in LabMD’s distinction between this case and Neiman Marcus, in which the 7th Circuit found that courts have “overread Clapper” by setting the harm bar too high for  Article III standing:

Significantly, the court in Neiman Marcus, in concluding that the plaintiffs had demonstrated sufficient injury to obtain Article III standing, remarked: “[I]t is plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach. Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Neiman Marcus, 2015 U.S. App. LEXIS 12487 at **12. Here, in contrast, the evidence fails to show any computer hack for purpose of committing identity fraud….

For those most interested, on the other hand, in the practical legal meaning of “reasonable security” under the FTC Act and the FTC’s future use of its “unfairness” authority — assuming the FTC pays attention to the words of its own Chief Administrative Law Judge — the words that ring the loudest may be those at the very end of the decision’s Summary of Conclusions of Law:

Because Complaint Counsel failed to meet its burden of proving the first prong of the three-part test in Section 5(n) – that Respondent’s conduct caused, or is likely to cause, substantial consumer injury – Respondent’s alleged failure to employ “reasonable and appropriate data security” for information maintained on its computer networks cannot be declared an “unfair” act or practice in violation of Section 5(a) of the FTC Act.